Utilization management system, management device, utilization control device, utilization management method, and computer-readable program

ABSTRACT

According to the present invention, the convenience of a utilization management technology for a usage target object is enhanced and the security risk is reduced. This utilization control device (1) is capable of communicating only in a near field communication (63) and stores a first public key that is paired with a first secret key stored in a management device (2). When hole data is received with a first signature from a provider terminal (3), the first signature is verified by means of the first key, and when the signature verification is established, the hole data is set to an own device (1). The hole data includes a second public key that is paired with a second secret key stored in the management device (2). When a utilization permit card is received with a second signature from a user terminal (4), the second signature is verified with the second public key, and when the signature verification is validated, transaction information included in the utilization permit card is acquired. In addition, with reference to the acquired transaction information, when a condition specified by the transaction information is satisfied, a utilization limit to the object to be utilized (a house (50)) is released.

TECHNICAL FIELD

The present invention relates to a utilization management technique formanaging use of a usage target object whose use can be limited bylocking/unlocking, access control, or encrypting/decrypting. As such ausage target object, it is possible to mention an entrance of a hotel,an inn, a guesthouse, a house, a warehouse, or a room, a moving bodysuch as an automobile or a bicycle, and a browsing terminal for anelectronic medium containing an electronic medical record or anelectronic book, for example.

BACKGROUND ART

The Patent Literature 1 discloses a system in which, by carrying a roomkey only, a user can use various services, including locking andunlocking of a room, in a facility such as a corporate facility, ahospital, a game hall, a public facility, or the like. This systemcomprises: a room key having a Radio Frequency Identification (RFID) tagthat can store information such as a room number, a password, customerinformation, or the like and readable and writable; RFID readers, whichare installed at various places of the facility for reading and writinginformation from and into the RFID tag of the room key; a database,which stores information on rooms and equipment in the facility; and aserver, which is connected to the RFID readers and the database via anetwork and performs management of the rooms and the equipment in thefacility. For example, an RFID reader installed at a door or in a roomin the facility reads information stored in an RFID tag of a room keyand sends the information to the server. Receiving the information, theserver compares the room number contained in the information receivedfrom the RFID reader with the room number of the room in which the RFIDreader is installed, to lock or unlock the room.

CITATION LIST Patent Literature

Patent Literature 1: Japanese Unexamined Patent Application Laid-OpenNo. 2003-132435

SUMMARY OF INVENTION Technical Problem

The system of the Patent Literature 1, however, premises that a room keyis lent out and returned at a reception desk of a facility such as acorporate facility, a hospital, a game hall, or a public facility.Therefore, even if a reservation of the facility is made via theInternet, a user of the facility must stop at the reception desk of themanagement section of the facility in order to borrow a room key beforemoving to the reserved facility. Further, after using the facility, theuser must stop at the reception desk of the management section in orderto return the room key. Accordingly, a geographical distance between thereserved facility and the management section managing the facilitycauses inconvenience to the user.

Further, in the system of the Patent Literature 1, the RFID readersinstalled at various places of the facility read information stored inthe RFID tag of a room key, and send the information to the server viathe network. Accordingly, in the case where the server is placed outsidethe facility and the RFID readers installed at various places inside thefacility are connected to the server placed outside the facility via theInternet, read information is transmitted over the Internet each timewhen an RFID reader reads information from the RFID tag of a room key.This therefore increases the security risk.

The present invention has been made taking the above situation intoconsideration. An object of the invention is to reduce security riskswhile improving convenience in a utilization management technique formanaging use of a usage target object whose use can be restricted bylocking/unlocking, access control, or encrypting/decrypting, the usagetarget object including an entrance of a hotel, an inn, a guesthouse, ahouse, a warehouse, or a room, a moving body such as an automobile or abicycle, and a browsing terminal for an electronic medium containing anelectronic health record or an electronic book, for example.

Solution to Problem

To solve the above problems, the present invention provides autilization control device that controls use of the usage target objectby locking/unlocking, access control or encrypting/decrypting based on ause permit; a management device that manages the usage target object byassociation with the utilization control device; a provider terminalthat sets hole data required for verification of the use permit in theutilization control device; and a user terminal that notifies theutilization control device of the use permit.

Here, the utilization control device can communicate only via Near FieldCommunication, and is separated from a network. Further, the utilizationcontrol device stores a first public key that is the pair to a firstsecret key stored being associated with the utilization control devicein the management device. When the utilization control device receivesthe hole data together with a first signature from the provider terminalvia the Near Field Communication, the utilization control deviceverifies the first signature by using the first public key, and sets thehole data in the utilization control device itself when the verificationis established. The hole data includes a second public key that is thepair to a second secret key stored being associated with the utilizationcontrol in the management device. Further, when the utilization controldevice receives the use permit together with a second signature from theuser terminal via the Near Field Communication, the utilization controldevice verifies the second signature by using the second public key, andobtains transaction information included in the use permit when thesignature verification is established. Then, the utilization controldevice refers to the obtained transaction information, and liftsrestriction on use of the usage target object when conditions specifiedby the transaction information are satisfied.

The transaction information included in the use permit may be encryptedby using a common key that the utilization control device shared withthe management device. The utilization control device uses the commonkey to decrypt the encrypted transaction information included in the usepermit received from the user terminal. In this case, the common key maybe included in the hole data sent to the use control device.

For example, the present invention provides a utilization managementsystem that manages use of a usage target object, comprising:

a utilization control device that controls use of the usage targetobject by locking/unlocking, access control, or encrypting/decrypting,based on a use permit;

a management device that manages the usage target object by associationwith the utilization control device;

a provider terminal that sets hole data required for verification of theuse permit in the utilization control device; and

a user terminal that notifies the utilization control device of the usepermit; wherein

the management device comprises:

a transaction management means that manages transaction information thatincludes conditions for using the usage target object;

an object management means that manages a first secret key/public key byassociation with the utilization control device;

a hole management means that manages a second secret key/public key byassociation with the utilization control device;

a hole data processing means that uses the first secret key managed bythe object management means to generate a first signature on the holedata that includes the second public key managed by the hole managementmeans; and sends the hole data and the first signature to the providerterminal; and

a use permit processing means that uses the second secret key managed bythe hole management means to generate a second signature on the usepermit that includes the transaction information managed by thetransaction management means; and sends the use permit and the secondsignature to the user terminal;

the provider terminal sends the hole data and the first signaturereceived from the management device to the utilization control devicevia Near Field Communication;

the user terminal sends the use permit and the second signature receivedfrom the management device to the utilization control device via theNear Field Communication; and

the utilization control device can communicate only via the Near FieldCommunication, and comprises

a hole setting means that verifies the first signature received togetherwith the hole data from the provider terminal by using pre-registeredthe first public key to set the hole data in the utilization controldevice itself when the verification being established;

a transaction information obtaining means that verifies the secondsignature received together with the use permit from the user terminalby using the second public key included in the hole data set in theutilization control device itself to obtain the transaction informationincluded in the use permit when the verification being established; and

a lifting means that lifts restriction on use of the usage target objectwith referring to the transaction information obtained by thetransaction obtaining means when conditions specified by the transactioninformation being satisfied.

Advantageous Effects of Invention

In the present invention, the utilization control device can communicateonly via Near Field Communication, and is separated from a network.Accordingly, the utilization control device is not attacked from theoutside via a network such as the Internet. Further, the user permitused for lifting the restriction on use of the usage target object isvalidated by verifying the second signature added to the use permit, byusing the second public key included in the hole data. Further, the holedata is validated by verifying the first signature added to the holedata, by using the first public key. Thus, the present invention canreduce security risks.

Further, according to the present invention, the restriction on use ofthe usage target object is lifted only when the conditions specified bythe transaction information included in the use permit are satisfied.When the conditions are not satisfied, the restriction on use of theusage target object is not lifted. Accordingly, by making thetransaction information include conditions such as a time limit for use,the number of times of use, and the like, the use permit that does notsatisfy these conditions becomes invalid even though it has beenauthenticated. As a result, it is not necessary for the user of theusage target object (user of the user terminal) to return the userpermit. Thus, according to the present invention, convenience isimproved.

Thus, according to the present invention, it is possible to improveconvenience while reducing security risks in use management techniquethat can restrict using of a usage target object bylocking/unlocking/access control/or encrypting/decrypting.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic configuration diagram showing a utilizationmanagement system according to one embodiment of the present invention;

FIG. 2 is a sequence diagram showing an example of an objectregistration operation for registering a utilization control device 1 ina management device 2 in the utilization management system of the oneembodiment of the present invention;

FIG. 3 is a sequence diagram showing an example of hole settingoperation for setting hole data in the utilization control device 1 inthe utilization management system of the one embodiment of the presentinvention;

FIG. 4 is a sequence diagram showing an example of a transactioninformation registration operation for registering transactioninformation, which includes conditions for using a usage target object,in the management device 2 in the utilization management system of theone embodiment of the present invention;

FIG. 5 is a sequence diagram showing an example of a use permit issueoperation for the management device 2 to issue a use permit to a userterminal 4 in the utilization management system of the one embodiment ofthe present invention;

FIG. 6 is a sequence diagram showing an example of a use restrictionlift operation for the utilization control device 1 to lift restrictionon use of a usage target object in the utilization management system ofthe one embodiment of the present invention;

FIG. 7 is a schematic functional configuration diagram of theutilization control device 1;

FIG. 8 is a flowchart for explaining operation of the utilizationcontrol device 1;

FIG. 9 is a schematic functional configuration diagram of the managementdevice 2;

FIG. 10 is a diagram showing schematically an example of contentsregistered in a user information storage part 221;

FIG. 11 is a diagram showing schematically an example of contentsregistered in a provider information storage part 222;

FIG. 12 is a diagram showing schematically an example of contentsregistered in an object data storage part 223;

FIG. 13 is a diagram showing schematically an example of contentsregistered in a hole data storage part 224;

FIG. 14 is a diagram showing schematically an example of contentsregistered in a transaction information storage part 225;

FIG. 15 is a flowchart for explaining operation of the management device2;

FIG. 16 is a flowchart for explaining the object registration requestprocessing S305 shown in FIG. 15;

FIG. 17 is a flowchart for explaining the hole generation requestprocessing S306 shown in FIG. 15;

FIG. 18 is a flowchart for explaining the transaction request processingS309 shown in FIG. 15;

FIG. 19 is a flowchart for explaining the use permit request processingS310 shown in FIG. 15;

FIG. 20 is a schematic configuration diagram showing a variation of theutilization management system shown in FIG. 1; and

FIG. 21 is a sequence diagram showing an example of a use restrictionlift operation for a utilization control device 1A to lift restrictionon use of a usage target object in the utilization management system'svariation shown in FIG. 20.

DESCRIPTION OF EMBODIMENTS

In the following, one embodiment of the present invention will bedescribed referring to the drawings.

FIG. 1 is a schematic configuration diagram showing a utilizationmanagement system according to the present embodiment.

As shown in the figure, the utilization management system of the presentembodiment comprises a utilization control device 1, a management device2, a provider terminal 3, and a user terminal 4.

The utilization control device 1, which is provided for each usagetarget object, can communicate only by using Near Field Communication 63such as Infrared Data Association (IrDA) or Bluetooth (registeredtrademark), and controls use of the usage target object, bylocking/unlocking, access control, or encrypting/decrypting on the basisof a use permit. Here, it is assumed that the usage target object is ahouse 50 and use of the house 50 is controlled by locking and unlockingof an entrance 51. The management device 2 manages the utilizationcontrol device 1. Further, the management device 2 sends hole data,which is used for verification of a use permit, to the provider terminal3 via a Wide Area Network (WAN) 60, and sends the use permit to the userterminal 4. The provider terminal 3, which is provided for eachprovider, is connected to the WAN 60 via a wireless network 62 and arelay device 61 such as a wireless base station or an access point, andreceives the hole data from the management device 2. Further, theprovider terminal 3 sends the hole data received from the managementdevice 2 to the utilization control device 1 via the Near FieldCommunication 63. The user terminal 4, which is provided for each user,is connected to the WAN 60 via the wireless network 62 and the relaydevice 61, and receives the use permit from the management device 2.Further, the provider terminal 3 sends the use permit received from themanagement device 2 to the utilization control device 1 via the NearField Communication 63.

FIG. 2 is a sequence diagram showing an example of an objectregistration operation for registering the utilization control device 1in the management device 2 in the utilization management system of thepresent embodiment.

First, when the provider terminal 3 receives a login operation from theprovider who provides the services for using the usage target object(house 50) (S100), the provider terminal 3 sends a login request thatincludes provider's user ID and password to the management device 2(S101). Receiving the login request, the management device 2 performsauthentication processing by using the password included in the loginrequest and a password that is managed by association with the user IDincluded in the login request (S102). When the authentication isestablished, the management device 2 permits the login of the providerterminal 3 i.e., the sender of the login request, and sends a loginpermission notice to the provider terminal 3 (S103).

Next, when the provider terminal 3 receives from the provider an objectregistration request operation accompanied by facility information thatincludes the facility name and the address of the house 50 as the usagetarget object (S104), the provider terminal 3 sends an objectregistration request including the facility information of the house 50to the management device 2 (S105). Receiving the object registrationrequest, the management device 2 issues an object ID to be given to theutilization control device 1, which is used for use control (control oflocking/unlocking of the entrance 51) of the house 50. Further, themanagement device 2 generates a first secret key/public key according tothe public key cryptosystem. Then, the management device 2 generatesobject data that includes the object ID, the first secret key/publickey, and the facility information included in the object registrationrequest (S106). Then, the management device 2 registers and manages thegenerated object data by associating the object data with the provider'suser ID (S107). Thereafter, the management device 2 sends an objectregistration notice that includes the object ID and the first public keyto the provider terminal 3 (S108).

Next, when the provider terminal 3 receives an object setting operationfrom the provider in a state that the provider terminal 3 is so close tothe utilization control device 1 that it is possible to perform the NearField Communication 63 (S109), the provider terminal 3 sends the objectregistration notice received from the management device 2 to theutilization control device 1 via the Near Field Communication 63 (S110).Receiving the notice, the utilization control device 1 sets in theutilization control device 1 itself the object ID and the first publickey included in the object registration notice (S111).

FIG. 3 is a sequence diagram showing an example of hole settingoperation for setting hole data in the utilization control device 1 inthe utilization management system of the present embodiment.

First, when the provider terminal 3 receives a login operation from theprovider who provides the service for using the usage target object(house 50) (S120), the provider terminal 3 sends a login request thatincludes the provider's user ID and password to the management device 2(S121). Receiving the login request, the management device 2 performsauthentication processing by using the password included in the loginrequest and a password that is managed by association with the user IDincluded in the login request (S122). When the authentication isestablished, the management device 2 permits the login of the providerterminal 3 i.e. the sender of the login request, and sends a loginpermission notice to the provider terminal 3 (S123).

Next, when the provider terminal 3 receives from the provider a holegeneration request operation accompanied by designation of the object IDof the utilization control device 1 (S124), the provider terminal 3sends a hole generation request including the object ID to themanagement device 2 (S125). Receiving the hole generation request, themanagement device 2 generates a common key according to the common keycryptosystem, and generates a second secret key/public key according tothe public key cryptosystem. Then, the management device 2 generateshole data that includes the object ID, the common key, and the secondpublic key (S126). The management device 2 registers and manages thehole data together with the second secret key (S127). Further, themanagement device 2 specifies the object data that includes the objectID designated by the hole generation request operation among the objectdata under its management, and generates a first signature on the holedata by using the first secret key included in the object data (S128).Thereafter, the management device 2 sends the generated hole data andfirst signature to the provider terminal (S129).

Next, when the provider terminal 3 receives a hole setting operationfrom the provider in a state that the provider terminal 3 is so close tothe utilization control device 1 that it is possible to perform the NearField Communication (S130), the provider terminal 3 sends the hole dataand first signature received from the management device 2 to theutilization control device 1 via the Near Field Communication 63 (S131).Receiving the hole data and the first signature, the utilization device1 verifies the first signature received from the provider terminal 3 byusing the hole data received from the provider terminal 3 and the firstpublic key set in the utilization device 1 itself (S132). When thesignature verification is established, the utilization device 1 sets thehole data in the utilization device 1 itself (S133).

FIG. 4 is a sequence diagram showing an example of a transactioninformation registration operation for registering transactioninformation, which includes conditions for using the usage target object(house 50), in the management device 2.

First, when the user terminal 4 receives a login operation from a userwho receives the services for using the usage target object (house 50)(S140), the user terminal 4 sends a login request that includes user'suser ID and password to the management device 2 (S141). Receiving thelogin request, the management device 2 performs authenticationprocessing by using the password included in the login request and thepassword managed by association with the user ID included in the loginrequest (S142). When the authentication is established, the managementdevice 2 permits the login of the user terminal 4 i.e. the sender of thelogin request, and sends a login permission notice to the user terminal4 (S143).

Next, when the user terminal 4 receives from the user a transactionrequest operation accompanied by designation of the user ID of theprovider who provides the services for using the desired usage targetobject (house 50), the object ID of the utilization control device 1installed in the usage target object, and desire information on use ofthe usage target object such as desired start and end times of use, thenumber of times of use, and the like (S144), the user terminal 4 sendsto the management device 2 a transaction request that includes thesedesignated provider's user ID, object ID, and desire information on use(S145).

Receiving the transaction request, the management device 2 checks thetransaction contents on the basis of the information included in thetransaction request (S146). In detail, the management device 2 confirmsthat there is the object data having the object ID included in thetransaction request among the object data managed by association withthe provider's user ID included in the transaction request, to determinethat the services desired by the user can be provided. Then, themanagement device 2 generates a transaction approval/disapproval inquirythat includes the object ID and the desire information on use, which areincluded in the transaction request, and sends the transactionapproval/disapproval inquiry to the provider terminal 3 that isidentified by address information managed by association with theprovider's use ID included in the transaction request (S147).

Next, when the provider terminal 3 receives the transactionapproval/disapproval inquiry from the management device 2, the providerterminal 3 asks the provider about approval/disapproval of thetransaction, by displaying the object ID and the desire information onuse included in the transaction approval/disapproval inquiry. When theprovider terminal 3 receives a transaction acceptance operation from theprovider to the effect that the provider accepts the transaction (toprovide the user with the services for using the usage target objectwhose use is under restriction by the utilization control device 1identified by the object ID) (S148), the provider terminal 3 sends tothe management device 2 a transaction acceptance response as a responseto the transaction approval/disapproval inquiry (S149).

Receiving the transaction acceptance response, the management device 2determines that the transaction has been established, and issues atransaction ID. Then, the management device 2 generates transactioninformation that includes the transaction ID, the user's user ID, theprovider's user ID included in the transaction request, the object ID,the desire information on use, and a use permit obtainable time (forexample, a time 24 hours before the desired start time of use)determined based on the desired start time of use included in the desireinformation on use (S150). Next, the management device 2 registers andmanages the generated transaction information (S151). Then, themanagement device 2 sends a transaction establishment notice to the userterminal 4 (S152), to make the user terminal 4 display the transactioninformation.

FIG. 5 is a sequential diagram showing an example of a use permit issueoperation for the management device 2 to issue a use permit to the userterminal 4 in the utilization management system of the presentembodiment.

It is assumed that it is after the use permit obtainable time of thetransaction information included in the transaction establishment noticereceived by the user terminal 4 from the management device 2 (S160).When the user terminal 4 receives a login operation from the user whorecognizes that it is after the use permit obtainable time (S161), theuser terminal 4 sends to the management device 2 a login request thatincludes the user's user ID and password (S162). Receiving the loginrequest, the management device 2 performs authentication processing byusing the password included in the login request and a password that ismanaged by association with the user ID included in the login request(S163). When the authentication is established, the management device 2permits the login of the user terminal 4, i.e., the sender of the loginrequest, and sends a login permission notice to the user terminal 4(S164).

Next, when the user terminal 4 receives from the user a use permitrequest operation accompanied by designation of the transaction IDincluded in the transaction information (S165), the user terminal 4sends a use permit request that includes the transaction ID to themanagement device 2 (S166).

Receiving the use permit request, the management device 2 specifies thetransaction information having the transaction ID included in the usepermit request among the transaction information under its management,and confirms that the conditions for issuing a use permit are satisfied,based on the specified transaction information (S167). In detail, it isconfirmed that the user ID of the user of the user terminal 4 coincideswith the user's user ID included in the transaction information and theuse permit obtainable time included in the transaction information hasbeen past. Then, the management device 2 specifies hole data having theobject ID included in the transaction information among the hole dataunder its management. Then, the management device 2 encrypts thetransaction information by using the common key of the specified holedata, and issues a use permit that includes the encrypted transactioninformation (S168). Next, the management device 2 generates a secondsignature on the use permit by using the second secret key managed byassociation with the specified hole data (S169). Thereafter, themanagement device 2 sends the use permit and the second signature to theuser terminal (S170).

FIG. 6 is a sequence diagram showing an example of a use restrictionlift operation for the utilization control device 1 to lift restrictionon use of the usage target object in the utilization management systemof the present embodiment.

It is assumed that it is after the usable period start time (start timeof the period in which the object can be used) included in the desireinformation on use in the transaction information included in thetransaction establishment notice that the user terminal has receivedfrom the management device 2 (S180). When the user terminal 4 receives ause operation from the user who recognizes that the present date iswithin the period specified by the usable period start and end timesincluded in the desire information on use in the transaction informationin a state that the user terminal 4 is close to the utilization controldevice 1 installed in the usage target object (house 50), which the userdesires to receive the services of using, at a distance that allows theNear Field Communication 63 with the utilization control device 1(S181), the user terminal 4 sends the use permit and the secondsignature received from the management device 2 via the Near FieldCommunication 63 to the utilization control device 1 (S182).

Receiving this, the utilization control device 1 verifies the secondsignature received from the user terminal 4 by using the use permitreceived from the user terminal 4 and the second public key included inthe hole data set in the utilization control device 1 itself (S183).When the signature verification is established, the utilization controldevice 1 decrypts the encrypted transaction information included in theuse permit by using the common key included in the hole data (S184).

Next, the utilization control device 1 confirms satisfaction of theconditions specified by the desire information on use included in thedecrypted transaction information (S185). In detail, the utilizationcontrol device 1 confirms that the present date is within the periodspecified by the usable period start and end times included in thedesire information on use. Further, the utilization control device 1confirms that the number of times of use managed by association with thetransaction ID of the transaction information is less than the number oftimes of use included in the desire information on use. Then, when it isconfirmed that the conditions specified by the desire information on useare satisfied, the utilization control device 1 lifts the restriction onuse of the usage target object (S186). Here, the utilization controldevice 1 unlocks the automatic lock of the entrance 51 of the house 50as the usage target object.

Thereafter, the utilization control device 1 sends a use restrictionlifting notice to the user terminal via the Near Field Communication 63(S187). Then, the utilization control device 1 increments by one thenumber of times of use managed by association with the transaction ID ofthe transaction information (S188). Here, in the case where the numberof times of use has not been managed by association with the transactionID of the transaction information, the number of times of use “1” ismanaged by association with the transaction ID of the transactioninformation.

Next, details of the utilization control device and the managementdevice 2 as components of the utilization management system of thepresent invention will be described. On the other hand, description ofdetails of the provider terminal 3 and the user terminal 4 will beomitted since existing network terminals such as smartphones, tabletPersonal Computers (PC), or the like having the Near Field Communicationfunction can be used as those terminals.

First, details of the utilization control device 1 will be described.

FIG. 7 is a schematic functional configuration diagram of theutilization control device 1.

As shown in the figure, the utilization control device 1 comprises aNear Field Communication part 10, a setting information etcetera storagepart 11, an object setting part 12, a hole setting part 13, a userestriction lifting part 14, a signature verification part 15, and adecryption part 16.

The Near Field Communication part 10 communicates with the providerterminal 3 and the user terminal 4 via the Near Field Communication 63such as an IrDA device, Bluetooth (registered trademark), or the like.

The setting information etcetera storage part 11 stores settinginformation such as the object ID, the first public key, the hole data,and the like. Further, the setting information etcetera storage part 11stores determination information that is used for determining whetherthe conditions, such as the number of times of use, for using the usagetarget object are satisfied.

The object setting part 12 stores, as the setting information, theobject ID and the first public key obtained from the provider terminal 3into the setting information etcetera storage part 11.

The hole setting part 13 stores the hole data as the setting informationinto the setting information etcetera storage part 11 when verificationof the first signature obtained together with the hole data from theprovider terminal 3 is established.

The use restriction lifting part 14 lifts the restriction on use of theusage target object, when verification of the second signature obtainedtogether with the use permit from the user terminal 4 is established andthe conditions specified by the desire information on use in thetransaction information included in the use permit are satisfied. In thepresent embodiment, the use restriction lifting part 14 outputs anunlocking instruction to the automatic lock of the entrance 51 of thehouse 50. Further, the use restriction lifting part 14 registers/updatesdetermination information, which includes for example the number oftimes of use, into/in the setting information etcetera storage part 11.

The signature verification part 15 verifies, according to an instructionof the hole setting part 13, the first signature on the hole data byusing the first public key stored in the setting information etceterastorage part 11. Further, the signature verification part 15 verifies,according to an instruction of the use restriction lifting part 14, thesecond signature on the use permit by using the second public keyincluded in the hole data stored in the setting information etceterastorage part 11.

The decryption part 16 decrypts, according to an instruction of the userestriction lifting part 14, the encrypted transaction informationincluded in the use permit by using the common key included in the holedata stored in the setting information etcetera storage part 11.

Here, the schematic functional configuration of the utilization controldevice 1 shown in FIG. 7 may be implemented by hardware, for example byusing an integrated logic IC such as an Application Specific IntegratedCircuit (ASIC), a Field Programmable Gate Array (FPGA), or the like, ormay be implemented by software on a computer device such as a DigitalSignal Processor (DSP), or the like. Or, in a general-purpose computercomprising a CPU, a memory, an auxiliary storage such as a flash memoryor a hard disk drive, and a Near Field Communication device such as anIrDA communication device or a Bluetooth (registered trademark)communication device, the schematic functional configuration may beimplemented by the CPU loading a prescribed program into the memory fromthe auxiliary storage and executes the program.

FIG. 8 is a flowchart for explaining operation of the utilizationcontrol device 1.

When the object setting part 12 receives an object registration noticefrom the provider terminal 3 via the Near Field Communication part 10(YES in S200), the object setting part 12 stores, as the settinginformation, the object ID and the first public key included in theobject registration notice into the setting information etcetera storagepart 11 (S201).

Further, when the hole setting part 13 receives the hole data and thefirst signature from the provider terminal 3 via the Near FieldCommunication part 10 (YES in S202), the hole setting part 13 deliversthe hole data and the first signature to the signature verification part15 and requests the signature verification part 15 to verify the firstsignature. Receiving the request, the signature verification part 15verifies the first signature on the hole data by using the first publickey stored in the setting information etcetera storage part 11 (S203).In detail, the signature verification part 15 verifies the validity ofthe first signature by using the first public key to decrypt the firstsignature and by determining whether the decrypted information coincideswith the hole data or the message digest (hash value) of the hole data.

Next, the signature verification part 15 notifies the hole setting part13 of the verification result of the first signature. Receiving this,when the verification of the first signature is established to validatethe first signature (YES in S204), the hole setting part 13 stores thehole data as the setting information into the setting informationetcetera storage part 11 (S205). On the other hand, when theverification of the first signature fails and the first signature cannotbe validated (NO in S204), the hole setting part 13 performspredetermined error processing such as sending of an error message tothe provider terminal 3 via the Near Field Communication part 10 (S206).

Further, when the use restriction lifting part 14 receives the usepermit and the second signature from the user terminal 4 via the NearField Communication Part 10 (YES in S207), the use restriction liftingpart 14 delivers the use permit and the second signature to thesignature verification part 15 and instructs the signature verificationpart 15 to verify the second signature. Receiving the instruction, thesignature verification part 15 verifies the second signature on the usepermit by using the second public key included in the hole data that isstored in the setting information etcetera storage part 11 (S208). Indetail, the signature verification part 15 verifies the validity of thesecond signature by using the second public key to decrypt the secondsignature and by determining whether the decrypted information coincideswith the use permit or the message digest of the use permit.

Next, the signature verification part 15 notifies the use restrictionlifting part 14 of the verification result of the second signature.Receiving this, when the verification of the second signature isestablished to validate the second signature (YES in S209), the userestriction lifting part 14 delivers the encrypted transactioninformation included in the use permit to the decryption part 16 andinstructs the decryption part 16 to decrypt the encrypted transactioninformation. On the other hand, when the verification of the secondsignature fails and the second signature cannot be validated (NO inS209), the use restriction lifting part performs predetermined errorprocessing such as sending of an error message to the user terminal 4via the Near Field Communication part 10 (S214).

Next, when the decryption part 16 receives the instruction of decryptingtogether with the encrypted transaction information from the userestriction lifting part 14, the decryption part 16 decrypts theencrypted transaction information by using the common key included inthe hole data that is stored in the setting information etcetera storagepart 11 (S210). Then, the decryption part 16 delivers the decryptedtransaction information to the use restriction lifting part 14.

Receiving the decrypted transaction information, the use restrictionlifting part 14 determines satisfaction of the conditions specified bythe desire information on use included in the decrypted transactioninformation (S211). In detail, the use restriction lifting part 14determines whether the present date is within the period specified bythe usable period start and end times included in the desire informationon use. Further, the use restriction lifting part 14 determines whetherthe number of times of use stored in the setting information etceterastorage part 11 being associated with the transaction ID of thetransaction information is less than the number of times of use includedin the desire information on use. Here, in the case where there is notthe number of times of use stored in the setting information etceterastorage part 11 being associated with the transaction ID of thetransaction information, the number of times of use is determined to be“0”.

Next, when the use restriction lifting part 14 determines that theconditions specified by the desire information on use included in thetransaction information are satisfied (YES in S211), the use restrictionlifting part 14 lifts the restriction the restriction on use of theusage target object (S212). In the present embodiment, the userestriction lifting part 14 outputs an unlocking instruction to theautomatic lock of the entrance 51 of the house 50. Further, the userestriction lifting part 14 updates the number of times of use stored inthe setting information etcetera storage part 11 being associated withthe transaction ID of the transaction information (S213). Here, in thecase where the number of times of use is not registered in the settinginformation etcetera storage part 11 being associated with thetransaction ID of the transaction information, the use restrictionlifting part 14 registers “1” as the number of times of use in thesetting information etcetera storage part 11 being associated with thetransaction ID of the transaction information.

On the other hand, when the use restriction lifting part 14 determinesthat the conditions specified by the desire information on use includedin the transaction information are not satisfied (NO in S211), the userestriction lifting part 14 performs predetermined error processing suchas sending of an error message to the user terminal 4 via the Near FieldCommunication part 10 (S214).

Next, details of the management device 2 will be described.

FIG. 9 is a schematic functional configuration diagram of the managementdevice 2.

As shown in the figure, the management device 2 comprises a WANinterface part 200, a storage part 201, a user management part 202, anobject management part 203, a hole management part 204, a transactionmanagement part 205, a login processing part 206, an object registrationrequest processing part 207, a hole generation request processing part208, a transaction approval/disapproval inquiry part 209, a transactionrequest processing part 210, and a use permit request processing part211.

The WAN interface part 200 is an interface for connecting with the WAN60.

The storage part 201 comprises a user information storage part 221, aprovider information storage part 222, an object data storage part 223,a hole data storage part 224, and a transaction information storage part225.

The user information storage part 221 stores user information of eachuser.

FIG. 10 is a diagram showing schematically an example of contentsregistered in the user information storage part 221.

As shown in the figure, the user information storage part 221 stores arecord 2210 of user information for each user. The record 2210 of userinformation comprises: a field 2211 for registering a user ID of a user;a field 2212 for registering a password of the user; a field 2213 forregistering address information of the user terminal 4 on the WAN 60;and a field 2214 for registering personal information of the user suchas a name, an address, contact information, and the like.

The provider information storage part 222 stores provider informationfor each provider.

FIG. 11 is a diagram showing schematically an example of contentsregistered in in the provider information storage part 222.

As shown in the figure, the provider information storage part 222 storesa record 2220 of provider information for each provider. The record 2220of provider information comprises: a field 2221 for registering a userID of a provider; a field 2222 for registering a password of theprovider; a field 2223 for registering address information of theprovider terminal 3 on the WAN 60; and a field 2224 for registeringpersonal information of the provider such as a name, an address, contactinformation, and the like.

The object data storage part 223 stores object data for each utilizationcontrol device 1.

FIG. 12 is a diagram showing schematically an example of contentsregistered in the object data storage part 223.

As shown in the figure, the object data storage part 223 stores a record2230 of object data for each utilization control device 1. The record2230 of object data comprises: a field 2231 for registering object ID asan identifier; a field 2232 for registering a first public key; a field2233 for registering a first secret key; a field 2234 for registeringfacility information that includes a facility name, an address, and thelike of a house 50 as a usage target object; and a field 2235 forregistering a user ID of a provider who provides services for using theusage target object.

The hole data storage part 224 stores information that includes holedata for each utilization control device 1.

FIG. 13 is a diagram showing schematically an example of contentsregistered in the hole data storage part 224.

As shown in the figure, the hole data storage part 224 stores a record2240 of hole data for each utilization control device 1. The record 2240of hole data comprises: a field 2241 for registering a hole ID as anidentifier; a field 2242 for registering a second public key; a field2243 for registering a second secret key; a field 2244 for registering acommon key; and a field 2245 for registering an object ID given to autilization control device 1 in which the hole data is set. Here, thesecond public key, the common key, and the object ID registeredrespectively in the fields 2242, 2244, and 2245 make up the hole dataset in the utilization control device 1.

The transaction information storage part 225 stores transactioninformation for each transaction established between a provider and auser with respect to services for using a usage target object.

FIG. 14 is a diagram showing schematically an example of contentsregistered in the transaction information storage part 225.

As shown in the figure, the transaction information storage part 225stores a record 2250 of transaction information for each transaction ofservices for using. The record 2250 of transaction informationcomprises: a field 2256 for registering a transaction ID as anidentifier; a field 2251 for registering an object ID given to autilization control device 1 installed in a usage target object thatbecomes an object of transaction of services for using the usage targetobject; a field 2252 for registering a user ID of a user; a field 2253for registering a user ID of a provider; a field 2254 for registeringuser's desire information on use including usable period start and endtimes and the number of times of use; and a field 2255 for registering ause permit obtainable time when it becomes possible to obtain a usepermit.

The user management part 202 manages the user information by using theuser information storage part 221 and manages the provider informationby using the provider information storage part 222.

The object management part 203 manages the object data by using theobject data storage part 223.

The hole management part 204 manages the hole data by using the holedata storage part 224.

The transaction management part 205 manages the transaction informationby using the transaction information storage part 225.

The login processing part 206 processes a login request received fromthe provider terminal 3 or the user terminal 4, in cooperation with theuser management part 202.

The object registration request processing part 207 processes an objectregistration request received from the provider terminal 3, incooperation with the object management part 203.

The hole generation request processing part 208 processes a holegeneration request received from the provider terminal 3, in cooperationwith the object management part 203 and the hole management part 204.

The transaction approval/disapproval inquiry part 209 inquires of theprovider terminal 3 as to transaction approval/disapproval concerningservices for using a usage target object, according to instructions ofthe transaction request processing part 210.

The transaction request processing part 210 processes a transactionrequest received from the user terminal 4, in cooperation with thetransaction management part 204 and the transaction approval/disapprovalinquiry part 209.

The use permit request processing part 211 processes a use permitrequest received from the user terminal 4, in cooperation with the holemanagement part 204 and the transaction management part 205.

Here, the schematic functional configuration of the management device 2shown in FIG. 9 may be implemented by hardware, for example by using anintegrated logic ID such as an ASIC, a FPGA, or the like, or by softwareon a computer device such as a DSP, or the like. Or, in ageneral-purpose computer comprising a CPU, a memory, an auxiliarystorage such as a flash memory or a hard disk drive, and a communicationdevice such as a Network Interface Card (NIC) or the like, the schematicfunctional configuration may be implemented by the CPU loading aprescribed program into the memory from the auxiliary storage andexecutes the program. Or, the schematic functional configuration may beimplemented by a distributed system in which a plurality ofgeneral-purpose computers cooperate one another.

FIG. 15 is a flowchart for explaining operation of the management device2.

The flow is started when the WAN interface part 200 receives a loginrequest from the provider terminal 3 or the user terminal 4 via the WAN60.

First, the WAN interface part 200 notifies the login processing part 206of the login request received. Receiving this, the login processing part206 performs login processing (S300).

In detail, in the case where the login request is received from theprovider terminal 3, the login processing part 206 notifies the usermanagement part 202 of a password search that is accompanied bydesignation of the provider's ID included in the login request.Receiving this, the user management part 202 searches the providerinformation storage part 222 for a satisfactory record 2220 by using asthe key the provider's user ID designated by the login processing part206. When the record 2220 can be detected, the user management part 202notifies the login processing part 206 of the password registered in therecord 2220. When the record 2220 cannot be detected, the usermanagement part 202 notifies the login processing part 206 to the effectthat the searched record does not exist. On the other hand, in the casewhere the login request is received from the user terminal 4, the loginprocessing part 206 notifies the user management part 202 of a passwordsearch that accompanied by designation of the user's user ID included inthe login request. Receiving this, the user management part 202 searchesthe user information storage part 221 for a satisfactory record 2210 byusing as the key the user's user ID designated by the login processingpart 206. When the record 2210 can be detected, the user management part202 notifies the login processing part 206 of the password registered inthe record 2210. When the record 2210 cannot be detected, the usermanagement part 202 notifies the login processing part 206 to the effectthat the searched record does not exist. When the password received fromthe user management part 202 coincides with the password included in thereceived login request, the login processing part 206 permits the login(authentication is established). When the password received from theuser management part 202 does not coincide with the password included inthe received login request or when the notice is received from the usermanagement part 202 to the effect that the searched record does notexist, the login processing part 206 rejects the login (authenticationis not established).

Next, in the case where the login authentication is not established (NOin S301), the login processing part 206 performs predetermined errorprocessing such as sending of an error message to the sender of thelogin request via the WAN interface part 200 (S311). On the other hand,in the case where the login authentication is established (YES in S301),the login processing part 206 sends a login permission notice to thesender of the login request via the WAN interface part 200, and managesthe state of login of the sender of the login request. At the same time,in the case where the sender of the login request is the providerterminal 3 (“Provider” in S302), the processing proceeds to 5303. In thecase where the sender is the user terminal 4 (“User” in S302), theprocessing proceeds to S307.

In S303, the WAN interface part 200 waits for receiving a request fromthe provider terminal 3 whose login has been permitted. Then, when arequest received from the provider terminal 3 is an object registrationrequest (“Object registration request” in S304), the WAN interface part200 notifies the object registration request processing part 207 of theobject registration request together with the provider's user IDincluded in the login request received from the provider terminal 3, sothat the below-described object registration request processing isperformed (S305). When a request received from the provider terminal 3is a hole generation request (“Hole generation request” in S304), theWAN interface part 200 notifies the hole generation request processingpart 208 of the hole generation request together with the provider'suser ID included in the login request received from the providerterminal 3, so that the below-described hole generation requestprocessing is performed (S306).

Further, in S307, the WAN interface part 200 waits for receiving arequest from the user terminal 4 whose login has been permitted. Then,when a request received from the user terminal 4 is a transactionrequest (“Transaction request” in S308), the WAN interface part 200notifies the transaction request processing part 210 of the transactionrequest together with the user's user ID included in the login requestreceived from the user terminal 4, so that the below-describedtransaction request processing is performed (S309). When a requestreceived from the user terminal 4 is a use permit request (“Use permitrequest” in S308), the WAN interface part 200 notifies the use permitrequest processing part 211 of the use permit request together with theuser's user ID included in the login request received from the userterminal 4, so that the below-described use permit request processing isperformed (S310).

FIG. 16 is a flowchart for explaining the object registration requestprocessing S305 shown in FIG. 15.

First, the object registration request processing part 207 issues anobject ID (S3050), and at the same time generates a first secretkey/public key according to the public key cryptosystem (S3051). Then,the object registration request processing part 207 generates objectdata that includes the object ID, the first secret key/public key, andthe facility information included in the object registration request,and notifies the object management part 203 of the object data togetherwith the provider's user ID to instruct the object management part 203to manage the object data.

Receiving this, the object management part 203 adds a record 2230 ofobject data to the object data storage part 223, and registers theobject data (the object ID, the first public key, the first secret key,and the facility information) in the record 2230, associating the objectdata with the provider's user ID (S3052). Then, the object managementpart 203 notifies the object registration request processing part 207 ofthe object ID and the first public key.

Next, the object registration request processing part 207 generates anobject registration notice that includes the object ID and the firstpublic key notified from the object management part 203, and sends theobject registration notice to the provider terminal 3 as the sender ofthe object registration request (S3053).

FIG. 17 is a flowchart for explaining the hole generation requestprocessing S306 shown in FIG. 15.

First, the hole generation request processing part 208 issues a hole ID(S3060). Further, the hole generation request processing part 208generates a second secret key/public key according to the public keycryptosystem (S3061), and generates a common key according to the commonkey cryptosystem (S3062).

Next, the hole management part 208 generates hole data that includes theobject ID, which is included in the hole generation request, the firstpublic key, and the common key. Then, the hole management part 208notifies the hole management part 204 of the hole data together with thehole ID and the second secret key to instruct the hole management par204 to manage the hole data. Receiving this, the hole management part204 adds a record 2240 of hole data in the hole data storage part 224,and registers in the record 2240 the hole data (the object ID, thesecond public key, the common key) together with the hole ID and thesecond secret key (S3063).

Next, the hole generation request processing part 208 notifies theobject management part 203 of the object ID included in the holegeneration request to instruct the object management part 203 to searchfor the first secret key. Receiving this, the object management part 203searches the object data storage part 223 for the record 2230 of theobject data by using the object ID as the key, and notifies the holegeneration request processing part 208 of the first secret key includedin the detected record 2230. Then, the hole generation requestprocessing part 208 generates a first signature on the hole data byusing the first secret key notified from the object management part 203(S3064).

Then, the hole generation request processing part 208 sends the holedata together with the first signature to the provider terminal 3 as thesender of the hole generation request (S3065).

FIG. 18 is a flowchart for explaining the transaction request processingS309 shown in FIG. 15.

First, the transaction request processing part 210 notifies the usermanagement part 202 of the provider's user ID included in thetransaction request to instruct the user management part 202 to specifythe provider terminal 3 of the provider that becomes the transactionpartner. Receiving this, the user management part 202 searches theprovider information storage part 222 for the record 2220 of theprovider by using the provider's user ID as the key. Then, the usermanagement part 202 notifies the transaction request processing part 210of the address information of the provider terminal 3 included in thedetected record 2220 (S3090).

Next, the transaction request processing part 210 notifies thetransaction approval/disapproval inquiry part 209 of the object ID ofthe utilization control device 1 and the desire information on use ofthe usage target object, which are included in the transaction request,together with the address information notified from the user managementpart 202, and instructs the transaction approval/disapproval inquirypart 209 to make inquiry about the transaction approval/disapproval.Receiving this, the transaction approval/disapproval inquiry part 209generates a transaction approval/disapproval inquiry that includes theobject ID of the utilization control device 1 and the desire informationon use of the usage target object, and sends the transactionapproval/disapproval inquiry via the WAN interface part 200 to theprovider terminal 3 specified by the address information notified fromthe user management part 202 (S3091). Then, when a response to thetransaction approval/disapproval inquiry is received (YES in S3092), thetransaction approval/disapproval inquiry part 209 notifies thetransaction request processing part 210 of the received response.

Next, when the response to the transaction approval/disapproval inquiryis a transaction rejection response (NO in S3093), the transactionrequest processing part 210 performs error processing such as sending ofan error message to the user terminal 4 as the sender of the transactionrequest via the WAN interface part 200 (S3097).

On the other hand, when the response to the transactionapproval/disapproval inquiry is a transaction acceptance response (YESin S3093), the transaction request processing part 210 determines thatthe transaction has been established, issues a transaction ID, anddetermines a user permit obtainable time based on the usable periodstart time in the desire information on use of the usage target objectincluded in the transaction request (S3094). For example, the time 24hours before the desired start time of use is determined as the userpermit obtainable time.

Then, the transaction request processing part 210 generates transactioninformation that includes the transaction ID, the user's user ID, andthe provider's user ID, the object ID, and the desire information on useincluded in the transaction request, and the use permit obtainable time.Then, the transaction request processing part 210 instructs thetransaction management part 205 to manage the transaction informationgenerated. Receiving this, the transaction management part 205 adds arecord 2250 of transaction information to the transaction informationstorage part 225, and registers the transaction information (thetransaction ID, the object ID, the user's user ID, the provider's userID, the desire information on use, and the use permit obtainable time)in the record 2250 (S3095).

Next, the transaction request processing part 210 sends a transactionestablishment notice that includes the use permit obtainable time to theuser terminal 4 as the sender of the transaction request (S3096).

FIG. 19 is a flowchart for explaining the use permit request processingS310 shown in FIG. 15.

First, the use permit request processing part 211 notifies thetransaction management part 205 of the transaction ID included in theuse permit request to instruct the transaction management part 205 tosearch for the transaction information. Receiving this, the transactionmanagement part 205 searches the transaction information storage part225 for the record 2250 of the transaction information by using thetransaction ID as the key. Then, the transaction management part 205notifies the use permit request processing part 211 of the transactioninformation registered in the record 2250 (S3100).

Next, the use permit request processing part 211 confirms that theuser's user ID included in the transaction information notified from thetransaction management part 205 is the user ID of the user of the userterminal 4 as the sender of the use permit request notified from thelogin processing part 206, and confirms that the use permit obtainabletime included in the transaction information has been past (S3101).

In the case where the user's user ID included in the transactioninformation is not the user ID of the user of the user terminal 4 as thesender of the user permit request or where the use permit obtainabletime has not been past (NO in S3101), the use permit request processingpart 211 performs predetermined error processing such as sending of anerror message via the WAN interface part 200 to the user terminal 4 asthe sender of the user permit request (S3107).

On the other hand, in the case where the user's user ID included in thetransaction information is the user ID of the user of the user terminal4 as the sender of the use permit request and the use permit obtainabletime included in the transaction information has been past (YES inS3101), the use permit request processing part 211 notifies the holemanagement part 204 of the object ID included in the transactioninformation to instruct the hole management part 204 to search for thecommon key and the second secret key. Receiving this, the holemanagement part 204 searches the hole data storage part 224 for therecord 2240 of the hole data by using the object ID as the key. Then,the hole management part 204 notifies the use permit request processingpart 211 of the common key and the second secret key included in thedetected record 2240 (S3102).

Next, the use permit request processing part 211 encrypts thetransaction information by using the common key notified from the holemanagement part 204 (S3103), and generates a use permit that includesthe encrypted transaction information (S3104). Then, the use permitrequest processing part 211 generates a second signature on the usepermit by using the second secret key notified from the hole managementpart 204 (S3105).

Next, the use permit request processing part 211 sends the use permitand the second signature to the user terminal 4 as the sender of the usepermit request (S3106).

Hereinafter, one embodiment of the present invention has been described.

In the present embodiment, the utilization control device 1 cancommunicate only via the Near Field Communication 63, and is separatedfrom the WAN 60. Accordingly, the utilization control device 1 is notattacked from the outside via the WAN 60. Further, the use permit usedfor lifting the restriction on use of the house 50 as the usage targetobject is validated by verifying the second signature added to the usepermit by using the second public key included in the hole data.Further, the hole data is validated by verifying the first signatureadded to the hole data by using the first public key. Thus, according tothe present embodiment, it is possible to reduce security risk.

Further, in the present embodiment, the restriction on use of the usagetarget object is lifted only when the desire information on use in thetransaction information included in the use permit is satisfied, andotherwise the restriction on use of the usage target object is notlifted. Accordingly, by including conditions such as a time limit foruse, the number of times of use, and the like, in the desire informationon use in the transaction information, the use permit that does notsatisfy the conditions becomes invalid even though it has beenauthenticated. As a result, it is not necessary for the user of theusage target object (user of the user terminal 4) to return the usepermit. Thus, according to the present embodiment, convenience isimproved.

Thus, according to the present embodiment, it is possible to improveconvenience while reducing security risks in use management of usagetarget object.

Further, in the present embodiment, the management device 2 managestransaction information that includes a use permit obtainable time. Onreceiving a use permit request from the user terminal 4, the managementdevice 2 generates a use permit when the use permit obtainable timeincluded in the transaction information specified by the transaction IDdesignated by the use permit request has been past. Thus, by settingtime restriction for obtaining a use permit, it is possible to reduceroom for falsifying the use permit and to improve security further.

Further, in the present embodiment, when the management device 2receives a use request from the user terminal 4, the management device 2sends a transaction approval/disapproval inquiry that includes thedesire information on use included in the use permit to the providerterminal 3. Then, when the management device 2 receives a transactionacceptance response as a response to the transactionapproval/disapproval inquiry from the provider terminal 3, themanagement device 2 generates transaction information, and sends to theuser terminal 4 a transaction establishment notice that includes the usepermit obtainable time included in the transaction information.Accordingly, the provider can show his will of transaction for eachtransaction (providing) of services for using the usage target object,and the user can know the use permit obtainable time in the case ofestablishment of the transaction. Thus, convenience of both the providerof the services for using the usage target object and the user isfurther improved.

The present invention is not limited to the above embodiment, and can bechanged variously within the scope of the invention.

For example, in the above embodiment, a common key shared between themanagement device 2 and the utilization control device 1 is used. Usingthe common key, the management device 2 encrypts transaction informationthat is included in a use permit to be sent to the user terminal 4, andthe utilization control device 1 decrypts the encrypted transactioninformation included in the use permit received from the user terminal4. The present invention, however, is not limited to this. Without beingencrypted, a plain text of transaction information may be sent from themanagement device 2 to the utilization control device 1 via the userterminal 4.

Further, the above embodiment has been described by taking an examplewhere the usable period start and end times and the number of times ofuse are used as the desire information on use to be included intransaction information. The present invention, however, is not limitedto this. It is sufficient that the desire information on use designatesconditions for lifting the restriction on use of the usage targetobject, and thus the desire information on use may include either theusable period start and end times or the number of times of use. Or,instead of the usable period start and end times and the number of timesof use, or instead of either the usable period start and end times orthe number of times of use, the desire information on use may includeother conditions. For example, the desire information on use may includethe usable period start and end times and a list of IDs of users whoseuse are permitted.

FIG. 20 is a schematic configuration diagram showing a variation of theutilization management system shown in FIG. 1.

The variation shown in FIG. 20 is different from the utilizationmanagement system shown in FIG. 1 in that an ID card 7 and a card reader8 are added and that a utilization control device 1A is provided insteadof the utilization control device 1. The other configuration of thevariation shown in FIG. 20 is similar to the utilization managementsystem shown in FIG. 1.

The ID card 7 is given to a person, such as a family member or a friend,having relation to a user who enjoys services for using the usage targetobject (house 50), and the ID card 7 stores a unique permission ID. Thecard reader 8 is connected to the utilization control device 1A, andsends the permission ID read from the ID card 7 to the utilizationcontrol device 1A. The utilization control device 1A has a card readerinterface part for connecting to the card reader 8. The otherconfiguration of the utilization control device 1A is similar to theutilization control device 1 shown in FIG. 7.

FIG. 21 is a sequence diagram showing an example of a use restrictionlift operation for the utilization control device 1A to lift restrictionon use of the usage target object in the utilization management system'svariation shown in FIG. 20.

In the utilization management system's variation shown in FIG. 20,object registration operation and hole setting operation are similar tothe object registration operation and the hole setting operation shownin FIGS. 2 and 3. Further, transaction information registrationoperation and use permit issue operation are similar to the transactionregistration operation and the use permit issue operation shown in FIGS.4 and 5 except that desire information on use includes a list ofpermission IDs instead of the number of times of use. Accordingly,detailed description of these operations will be omitted.

It is assumed that it is after the usable period start time included inthe desire information on use of the transaction information included inthe transaction establishment notice received by the user terminal 4from the management device 2 (S400). When the user terminal 4 receives ause operation from the user who recognizes that the present date iswithin the period specified by the usable period start and end timesincluded in the desire information on use in the transaction informationin a state that the user terminal 4 is close to the utilization controldevice 1A installed in the usage target object (house 50), which theuser desires to receive the services of using, at a distance that allowsthe Near Field Communication 63 with the utilization control device 1A(S401), the user terminal sends the use permit and the second signaturereceived from the management device 2 via the Near Field Communication63 to the utilization control device 1A (S402).

Receiving this, the utilization control device 1A verifies the secondsignature on the use permit received from the user terminal 4 by usingthe second public key included in the hole data set in the utilizationcontrol device la itself (S403). When the signature verification isestablished, the utilization control device 1A decrypts the encryptedtransaction information included in the use permit by using the commonkey included in the hole data (S404).

Next, the utilization control device 1A specifies the desire informationon use included in the decrypted transaction information, and confirmsthat the present date is within the period specified by the usableperiod start and end times included in the desire information on use(S405). When it is confirmed that the present date is within the periodspecified by the usable period start and end times included in thedesire information on use, the utilization control device 1A determinesthat preparation is complete for lifting the restriction on use of theusage target object (S406), and sends a use restriction liftingpreparation notice to the user terminal 4 via the Near FieldCommunication (S407).

Next, when the card reader 8 receives a read operation for making thecard reader 8 read the permission ID stored in the card 7 from a person(such as a family member or a friend) having relation to the user(S408), the card reader 8 reads the permission ID and sends thepermission ID to the utilization control device 1A (S409).

Receiving this, the use restriction lifting part 14 of the utilizationcontrol device 1A confirms that the present date is within the periodspecified by the usable period start and end times included in thedesire information on use, and confirms that the permission ID receivedfrom the card reader 8 via the card reader interface part exists in thelist of permission IDs included in the desire information on use (S410).When it is confirmed that these conditions are satisfied, the userestriction lifting part 14 lifts the restriction on use of the usagetarget object (S411). Here, the use restriction lifting part 14 unlocksthe automatic lock of the entrance 51 of the house 50 as the usagetarget object.

Here, in the above-described variation of utilization management system,the desire information on use may include biometric authenticationinformation such as fingerprints, veins, an irises, or the like of userswho are permitted to use instead of the list of IDs of users who arepermitted. In this case, in FIG. 20, instead of the ID card 7 and thecard reader 8, a biometric reader is connected to the utilizationcontrol device 1A. Further, in S408 and S409 of FIG. 21, when thebiometric reader receives a read operation for making the biometricreader read biometric authentication information from the person (familymember, friend, or the like) having relation to the user, the biometricreader sends the read biometric authentication information to theutilization control device 1A. Then, in S410, the use restrictionlifting part 14 of the utilization control device 1A confirms that thepresent date is within the period specified by the usable period startand end times included in the desire information on use, and confirmsthat the biometric authentication information received from thebiometric reader is registered in a list of biometric authenticationinformation included in the desire information on use.

Further, in the above embodiment, the storage part 201 is placed in themanagement device 2. The present invention, however, is not limited tothis. The storage part 201 may be held by a file server connected to theWAN 60. In this case, the user information storage part 221, theprovider information storage part 222, the object data storage part 223,the hole data storage part 224, and the transaction information storagepart 225 may be held by respective different file servers. Or, each partmay be divided into a plurality of parts that are held by a plurality offile servers in a distributed manner. Further, it is favorable that theinformation stored in these storage parts 221-225 is protected by usingthe block-chain technology or the like.

Further, the above embodiments are described by taking examples wherethe utilization control device 1, 1A is used for unlocking the automaticlock installed at the entrance 51 of the house 50 as the usage targetobject. The present invention, however, is not limited to this. It ispossible that a usage target object is a hotel, an inn, a guesthouse, awarehouse, a room, or the like, and the utilization control device 1, 1Ais used for unlocking an automatic lock installed at an entrance of sucha usage target object. Or, it is possible that a usage target object isa moving body such as an automobile or a bicycle, and the utilizationcontrol device 1, 1A is used for unlocking a door of the moving body orfor turning on an ignition. Or, it is possible that a usage targetobject is a browsing terminal for an electronic medium of, for example,an electronic medical record, an electronic book, or the like, and theutilization control device 1, 1A is used for lifting restriction onaccess to the electronic medium or for decrypting an encryptedelectronic medium.

REFERENCE SIGNS LIST

1, 1A: utilization control device; 2: management device; 3: providerterminal; 4: user terminal; 7: ID card; 8: card reader; 10: Near FieldCommunication part; 11: setting information etcetera storage part; 12:object setting part; 13: hole setting part; 14: use restriction liftingpart; 15: signature verification part; 16: decryption part; 50: house;51: entrance; 60: WAN; 61: relay device; 62: wireless network; 63: NearField Communication; 200: WAN interface part; 201: storage part; 202:user management part; 203: object management part; 204: hole managementpart; 205: transaction management part; 206: login processing part; 207:object registration request processing part; 208: hole generationrequest processing part; 209: transaction approval/disapproval inquirypart; 210: transaction request processing part; 211: use permit requestprocessing part; 221: user information storage part; 222: providerinformation storage part; 223: object data storage part; 224: hole datastorage part; and 225: transaction information storage part.

1-12. (canceled)
 13. A utilization management system that manages use ofa usage target object, comprising: a utilization control device thatcontrols use of the usage target object by locking/unlocking, accesscontrol or encrypting/decrypting based on a use permit; a managementdevice that manages the usage target object by association with theutilization control device; a provider terminal that sets hole datarequired for verification of the use permit in the utilization controldevice; and a user terminal that notifies the utilization control deviceof the use permit, wherein the management device comprises: atransaction management means that manages transaction informationincluding conditions for using the usage target object; an objectmanagement means that manages a first secret key/public key inassociation with the utilization control device; a hole management meansthat manages a second secret key/public key in association with theutilization control device; a hole data processing means that generatesa first signature on the hole data including the second public keymanaged by the hole management means by using the first secret keymanaged by the object management means to send the hole data and thefirst signature to the provider terminal; and a use permit processingmeans that generates a second signature on the use permit including thetransaction information managed by the transaction management means byusing the second secret key managed by the hole management means to sendthe use permit and the second signature to the user terminal; theprovider terminal sends the hole data and the first signature receivedfrom the management device to the utilization control device via NearField Communication; the user terminal sends the use permit and thesecond signature received from the management device to the utilizationcontrol device via the Near Field Communication; and the utilizationcontrol device communicates only via the Near Field Communication, andcomprises: a hole setting means that verifies the first signaturereceived together with the hole data from the provider terminal by usingpre-registered the first public key to set the hole data in theutilization control device itself when the verification beingestablished; a transaction information obtaining means that verifies thesecond signature received together with the use permit from the userterminal by using the second public key included in the hole data set inthe utilization control device itself to obtain the transactioninformation included in the use permit when the verification beingestablished; and a lifting means that lifts restriction on use of theusage target object with referring to the transaction informationobtained by the transaction obtaining means when conditions specified bythe transaction information being satisfied.
 14. A utilizationmanagement system according to claim 13, wherein in the managementdevice, the transaction management means manages the transactioninformation with a use permit obtainable time being included in thetransaction information; and when the use permit processing meansreceives a use permit request accompanied by designation of thetransaction information from the user terminal and it is after the usepermit obtainable time included in the transaction informationdesignated by the use permit request and managed by the transactionmanagement means, the use permit processing means: generates the usepermit that includes the transaction information; generates the secondsignature on the use permit by using the second secret key managed bythe hole management means; and sends the use permit and the secondsignature to the user terminal.
 15. A utilization management systemaccording to claim 14, wherein the management device further comprises:a transaction approval/disapproval inquiry means that sends to theprovider terminal a transaction approval/disapproval inquiry thatincludes conditions on use of the usage target object and that inquiriesabout transaction approval/disapproval of services for using the usagetarget object, when the transaction approval/disapproval inquiry meansreceives a use request that includes the conditions on use of the usagetarget object from the user terminal; and a transaction informationprocessing means that generates the transaction information thatincludes the conditions on use of the usage target object included inthe transaction approval/disapproval inquiry and the use permitobtainable time and sends a transaction establishment notice thatincludes the use permit obtainable time to the user terminal, when atransaction acceptance response is received from the provider terminalas a response to the transaction approval/disapproval inquiry sent fromthe transaction approval/disapproval inquiry means to the providerterminal.
 16. A utilization management system according to claim 13,wherein in the management device, when a hole generation requestaccompanied by designation of the utilization control device is receivedfrom the provider terminal, the hole data processing means: generatesthe second secret key/public key; generates according to the holegeneration request the first signature on the hole data that includesthe second public key by using the first secret key managed by theobject management means; and sends the hole data and the first signatureto the provider terminal.
 17. A utilization management system accordingto claim 14, wherein in the management device, when a hole generationrequest accompanied by designation of the utilization control device isreceived from the provider terminal, the hole data processing means:generates the second secret key/public key; generates according to thehole generation request the first signature on the hole data thatincludes the second public key by using the first secret key managed bythe object management means; and sends the hole data and the firstsignature to the provider terminal.
 18. A utilization management systemaccording to claim 15, wherein in the management device, when a holegeneration request accompanied by designation of the utilization controldevice is received from the provider terminal, the hole data processingmeans: generates the second secret key/public key; generates accordingto the hole generation request the first signature on the hole data thatincludes the second public key by using the first secret key managed bythe object management means; and sends the hole data and the firstsignature to the provider terminal.
 19. A utilization management systemaccording to claim 13, wherein the management device further comprisesan object registration request processing means that generates the firstsecret key/public key and sends an object registration notice thatincludes the first public key to the provider terminal, when an objectregistration request accompanied by designation of the utilizationcontrol device is received from the provider terminal; the providerterminal sends the object registration notice received from themanagement device to the utilization control device via the Near FieldCommunication; and the utilization control device registers the firstpublic key included in the object registration notice received from theprovider terminal.
 20. A utilization management system according toclaim 14, wherein the management device further comprises an objectregistration request processing means that generates the first secretkey/public key and sends an object registration notice that includes thefirst public key to the provider terminal, when an object registrationrequest accompanied by designation of the utilization control device isreceived from the provider terminal; the provider terminal sends theobject registration notice received from the management device to theutilization control device via the Near Field Communication; and theutilization control device registers the first public key included inthe object registration notice received from the provider terminal. 21.A utilization management system according to claim 15, wherein themanagement device further comprises an object registration requestprocessing means that generates the first secret key/public key andsends an object registration notice that includes the first public keyto the provider terminal, when an object registration requestaccompanied by designation of the utilization control device is receivedfrom the provider terminal; the provider terminal sends the objectregistration notice received from the management device to theutilization control device via the Near Field Communication; and theutilization control device registers the first public key included inthe object registration notice received from the provider terminal. 22.A utilization management system of according to claim 13, wherein in themanagement device, the hole management means manages also a common keyby association with the utilization control device; the hole dataprocessing means sends the hole data with the common key being includedin the hole data; and the use permit processing means uses the commonkey to encrypt the transaction information to be included in the usepermit; and in the utilization control device, the transactioninformation obtaining means uses the common key included in the holedata that is set in the utilization control device itself to decrypt theencrypted transaction information included in the use permit.
 23. Autilization management system of according to claim 14, wherein in themanagement device, the hole management means manages also a common keyby association with the utilization control device; the hole dataprocessing means sends the hole data with the common key being includedin the hole data; and the use permit processing means uses the commonkey to encrypt the transaction information to be included in the usepermit; and in the utilization control device, the transactioninformation obtaining means uses the common key included in the holedata that is set in the utilization control device itself to decrypt theencrypted transaction information included in the use permit.
 24. Autilization management system of according to claim 15, wherein in themanagement device, the hole management means manages also a common keyby association with the utilization control device; the hole dataprocessing means sends the hole data with the common key being includedin the hole data; and the use permit processing means uses the commonkey to encrypt the transaction information to be included in the usepermit; and in the utilization control device, the transactioninformation obtaining means uses the common key included in the holedata that is set in the utilization control device itself to decrypt theencrypted transaction information included in the use permit.
 25. Autilization management system according to claim 13, further comprisingan ID reader connected to the utilization control device, wherein in themanagement device, the transaction management means manages thetransaction information that includes, as one of the conditions forusing the usage target object, a list of permission IDs required forusing the usage target object; and in the utilization control device,when the ID reader reads a permission ID from an ID storage medium, thelifting means lifts the restriction on use of the usage target object ifthe permission ID exists in the list of permission IDs included in theconditions specified by the transaction information obtained by thetransaction information obtaining means and the conditions specified bythe transaction information other than the list are satisfied.
 26. Autilization management system according to claim 14, further comprisingan ID reader connected to the utilization control device, wherein in themanagement device, the transaction management means manages thetransaction information that includes, as one of the conditions forusing the usage target object, a list of permission IDs required forusing the usage target object; and in the utilization control device,when the ID reader reads a permission ID from an ID storage medium, thelifting means lifts the restriction on use of the usage target object ifthe permission ID exists in the list of permission IDs included in theconditions specified by the transaction information obtained by thetransaction information obtaining means and the conditions specified bythe transaction information other than the list are satisfied.
 27. Autilization management system according to claim 15, further comprisingan ID reader connected to the utilization control device, wherein in themanagement device, the transaction management means manages thetransaction information that includes, as one of the conditions forusing the usage target object, a list of permission IDs required forusing the usage target object; and in the utilization control device,when the ID reader reads a permission ID from an ID storage medium, thelifting means lifts the restriction on use of the usage target object ifthe permission ID exists in the list of permission IDs included in theconditions specified by the transaction information obtained by thetransaction information obtaining means and the conditions specified bythe transaction information other than the list are satisfied.
 28. Amanagement device for managing a utilization control device thatcontrols, based on a use permit, use of a usage target object bylocking/unlocking, access control, or encrypting/decrypting, comprising:a transaction management means that manages transaction information thatincludes conditions for using the usage target object; an objectmanagement means that manages a first secret key/public key byassociation with the utilization control device; a hole management meansthat manages a second secret key/public key by association with theutilization control device; a hole data processing means that generatesa first signature on hole data required for verification of the usepermit and including the second public key managed by the holemanagement means by using the first secret key managed by the objectmanagement means to send the hole data and the first signature to aprovider terminal setting the hole data to the utilization controldevice; and a use permit processing means that generates a secondsignature on the use permit including the transaction informationmanaged by the transaction management means by using the second secretkey managed by the hole management means to send the use permit and thesecond signature to a user terminal notifying the utilization controldevice of the use permit.
 29. A utilization control device that controlsuse of a usage target object by locking/unlocking, access control, orencrypting/decrypting, based on a use permit, wherein the utilizationcontrol device communicates only via Near Field Communication, andcomprises: a hole setting means that verifies a first signature receivedtogether with hole data required for verification of the use permit froma provider terminal by using a pre-registered first public key to setthe hole data in the utilization control device itself when theverification being established; and a lifting means that verifies asecond signature received together with use permit from a user terminalby using a second public key included in the hole data set in theutilization control device itself to refer to transaction informationincluded in the use permit when the verification being established andto lift restriction on use of the usage target object when conditionsspecified by the transaction information being satisfied.
 30. Autilization management method for managing use of a usage target objectby using: a utilization control device that controls use of the usagetarget object by locking/unlocking, access control, orencrypting/decrypting based on a use permit; a management device thatmanages the usage target object by association with the utilizationcontrol device; a provider terminal that sets hole data required forverification of the use permit in the utilization control device; and auser terminal that notifies the utilization control device of the usepermit, wherein the management device manages transaction informationincluding conditions for using the usage target object, and manages afirst secret key/public key and a second secret key/public key inassociation with the utilization control device; generates a firstsignature on the hole data including the second public key by using thefirst secret key to send the hole data and the first signature to theprovider terminal; and generates a second signature on the use permitincluding the transaction information by using the second secret key tosend the use permit and the second signature to the user terminal; theprovider terminal sends the hole data and the first signature receivedfrom the management device to the utilization control device via NearField Communication; the user terminal sends the use permit and thesecond signature received from the management device to the utilizationcontrol device via the Near Field Communication; the utilization controldevice: communicates only via the Near Field Communication; verifies thefirst signature received together with the hole data from the providerterminal by using a pre-registered first public key to set the hole datain the utilization control device itself when the verification beingestablished; and verifies the second signature received together withthe use permit from the user terminal by using the second public keyincluded in the hole data set in the utilization control device itselfto refer to the transaction information included in the use permit whenthe verification being established and to lift restriction on use of theusage target object if the conditions specified by the transactioninformation being satisfied.
 31. A computer-readable program, whereinthe program makes a computer function as a management device thatmanages a utilization control device for controlling use of a usagetarget object by locking/unlocking, access control, orencrypting/decrypting based on a use permit; and the management devicecomprises: a transaction management means that manages transactioninformation including conditions for using the usage target object; anobject management means that manages a first secret key/public key inassociation with the utilization control device; a hole management meansthat manages a second secret key/public key in association with theutilization control device; a hole data processing means that generatesa first signature on hole data required for verification of the usepermit and including the second public key managed by the holemanagement means by using the first secret key managed by the objectmanagement means to send the hole data and the first signature to aprovider terminal setting the hole data to the utilization controldevice; and use permit processing means that generates a secondsignature on the use permit including the transaction informationmanaged by the transaction management means by using the second secretkey managed by the hole management means to send the use permit and thesecond signature to a user terminal notifying the utilization controldevice of the use permit.
 32. A computer-readable program, wherein theprogram makes a computer function as a utility control device thatcontrols use of a usage target object by locking/unlocking, accesscontrol, or encrypting/decrypting, based on a use permit; and theutilization control device: communicates only via Near FieldCommunication, and comprises: a hole setting means that verifies thefirst signature received together with the hole data from the providerterminal by using pre-registered the first public key to set the holedata in the utilization control device itself when the verificationbeing established; and a lifting means that lifts restriction on use ofthe usage target object with referring to the transaction informationobtained by the transaction obtaining means when conditions specified bythe transaction information being satisfied.